Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
AnalysisAI
Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.
Technical ContextAI
pretix is an open-source Django-based event ticketing platform (cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*) that supports reusable media including gift cards. The vulnerability stems from CWE-280 (Improper Handling of Insufficient Permissions or Privileges): the export codepath for reusable media serializes gift card records - including their full secret tokens - without applying the same permission-scoped data masking enforced by the UI and REST API. Both the UI and API correctly truncate gift card secrets to their first few characters for users lacking the gift card view permission; the bulk export function omits this check entirely, creating a privilege bypass through an alternate data access path. The inconsistency between export and API/UI data handling is the root technical failure.
RemediationAI
Upgrade to pretix 2026.5.1 or later; the fix version is inferred as 2026.5.1 based on the vendor advisory URL (https://pretix.eu/about/en/blog/20260609-release-2026-5-1/, dated 2026-06-09) and the patch is confirmed available from the vendor, though the exact patched version was not independently verified from advisory body text. As a compensating control prior to patching, restrict the reusable media export capability exclusively to users who already hold the gift card viewing permission - this eliminates the permission boundary inconsistency in practice. Trade-off: tightening export access may affect operational staff who use exports for non-gift-card media inventory. Additionally, audit existing exports generated by users without gift card permissions and treat any exposed secrets as compromised, issuing replacement gift cards where feasible.
pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript
pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen
Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste
Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information
Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organ
HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbit
An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35407
GHSA-m6hc-99rm-c9wc